Adversity can inspire creativity. It can also inspire insanity. Somewhere in between, we sing of the world electric. Data flows, laws are created and bypassed, privacy is threatened, Bad Guys drink their Red Bull, and the lowly information security professionals of the world stand a vigilant watch. Infosec workers huddle together against the storm, the small campfire of hope burning by our feet. On the coldest nights, stories are told, songs are sung, and coffee is consumed.

Friday, October 17, 2014

POODLE. The word invokes fear and loathing across the world. Without the clarification between "standard" and "miniature", the mind defaults to the diminutive version: yappy, insanely groomed, full of hate, and probably growling from a debutant's purse. If the POODLE vulnerability were "standard", you would know it is to be respected and admired: a hunter, a protector, a guide with curly hair.

Tuesday, August 5, 2014

Team Cymru is a great source of information regarding Internet security. One example they offer is a find summary of ephemeral source port selection strategies for modern OSes. It's handy if you are crafting some IDS rules or want to understand what you're seeing in your sniffer.

And it feeds the muse in weird and wonderful ways.

You Come From Ports Ephemeral

In darkest aether, packets flow.
It's to IP address they go.
But when they reach their final place,
So many choices, they must face.

Deep within the packet's heart
It lists its goal, it lists its start.
It knows which port to which to bind,
And just what port it left behind.

You come from ports ephemeral,
And most ignore this numeral,
But hackers know your history,
And solve the OS mystery.

Foolishly ignore the past,
You'll find you're losing info fast.
So much can be learned from all these
Port selection strategies.

You come from ports ephemeral,
And most ignore this numeral,
But if you're tuning IDS
This makes you better than the rest.

It's not only the port of call,
Destination isn't all.
Get to know where things began:
There'll be more value from your span.

You come from ports ephemeral,
And most ignore this numeral,
But hackers know your history,
And solve the OS mystery.

Tuesday, July 1, 2014

Symantec published a report about some state-sponsored hacking of industrial control systems (ICS) in many countries, including the US. They identified the group that did this by the name "Dragonfly".

Dragonfly

I'm a wicked Dragonfly. You ain't never gonna learn.
When you think you found me, huh, I'll make a hairpin turn.
I'll zoom around your networks with intent to sabotage,
Sting you and be hiding out in perfect camouflage.

I am a master hacker, and I'm working for a state.
Before you ever find me, boy, it gonna be too late.
I'm trained in writin' malware, and I know your ICS.
Industrial control: it is the world that I know best.
I know about your BACNet, and your HMIs are mine.
I'll keep them running smoothly, and you'll think that you are fine.

But soon the time is comin' when I'll tear your systems down:
No lights, no steam, no coolin',
Don't think that I am foolin',
Might leave your furnace droolin',
Heck, I might blow up your town.

I'm a wicked Dragonfly, and I'm dartin' right and left.
I hacked your favorite website with some skills that you'd find deft.
You came and took a sippy from my evil waterhole.
I snuck on in to bite you, and I gobbled you up whole.

I took a look around with a sneaky little RAT.
I learned about your network as I poked at this and that.
I guess you never found out that an air gap is your friend,
You'll hold on to that error, right up to the very end.

I'm a wicked Dragonfly, and I'm dartin' left and right.
When your turbines start to screamin' it will be a scary sight.
I hope you have some candles and some chopped up firewood.
Your power grid is flimsy, soon to be all messed up good.

Monday, June 30, 2014

After Six Weeks

After six weeks
Of welcoming my new daughter into the world,
(Enjoying the blissful blessing of formal family leave,)
Ignoring the HIPAA violations at the hospital,
Trying not to observe the inefficient placement of security cameras during diaper runs,
Or balancing birth announcements and baby updates with my desire to lead a private life,
I return to my office and find:

My fingers still remember my password, even after changing countless diapers;
Our weekly staff meeting is unchanged in either place, time, agenda, or cynicism;
My coffee pot still offers eager and trusted assistance;
Pastebin still displays our passwords for the world to see;
Spam subject lines continue to evolve
(bowels and parasites joining viagra and loans);
Bots are still phoning home
(the cries from our computers admitting defeat);
Wordpress is still getting hacked while PHP looks on mutely;
Staff are still falling for phishing;
Students are still sharing illegally;
Professors are still typing in WordPerfect;
Sysadmins still resent us;
Webdevs still ignore us.

I return to the work,
Swimming in the winds of challenge and changeability,
Building rickety roofs to keep out the rough weather,
Watching the clouds to predict what the day will bring,
Hoping the heat won't wither my muscle
And the cold won't paralyze my bones.
I remind myself that we play the long game
(Yes, the game went on without me)
And the rules are still the same,
Playing out despite my absence,
But if I focus on the game,
So long as I keep playing to win,
I can eventually rest each night,
(After the baby has calmed herself and embraced a milky torpor,)
Knowing my work is heading somewhere
Through the storm.

Thursday, May 8, 2014

Good morning, SPC-goers! I hope last night was good for you. Many of us found ourselves at the bars, talking, planning, and dreaming.

Glasses dance
From table to mouth to table
Riding the conversation's
Ebbandflow,
Networking while talking networking,or policies,or war stories,or master plans,
Or planting the seeds for new plans
Deep in the soil of conversation
Watered by a rain
Of bar drinksand laughterand song.

The first break-out panel I attended this year was "A Consolidated Approach to Risk and Standards Management" by Matthew Dalton from The Ohio State University. OSU has a nice tool for doing risk assessments, which I plan to steal (once he's made it available). It is a method for defining your assets, measuring the likelihood and impact of different events, and creating a risk report that C-level folks can easily understand. It also contains a way to track mitigating controls (including their costs and their effectiveness) that affect those risks. Pretty slick.

If you use all those frameworks from NIST,
Regulators will never be pissed.
You'll look like a pro
And put on a good show
When the auditors search for what's missed.
_____________________

Greetings from St. Louis and the 2014 EDUCAUSE Security Professionals Conference. Today's keynote speaker has been Harriet Pearson talking about privacy, cybersecurity, and law. Here are my notes in haiku form.

Tuesday, April 1, 2014

Sadly, this post isn't an April Fool's joke. The flood of spam, delivering phishing messages trying to steal your information or malware trying to do the same, continues to assail our email Inboxes without pause. Criminals use this technique because it works; many people click on the links and images in the messages they receive, which may point to malware, a form trying to steal your information, or just a flood of webpages that will make money for the criminals the more that people view them.

Well, take up your Sousaphone and get ready to march the April blues away!

The Inbox March on April First

Everyday's the first of April in my Inbox!
Everyday someone's playing a big joke.
Some would say I should just delete the junk mail,
But instead it just makes me want to choke!

It would seem that my mailbox is all filled up,
And I must log in now to save my skin.
'nother one says I came into some money,
If I send my bank login to Prince Jim.

Jim it seems is a prince living in exile.
Royalty, they have never seemed so kind,
Unlike those who robbed my dear friend in London.
Didn't know that he had vacation time.

Monday, March 31, 2014

Windows XP is at an end. Microsoft announced a while back that they were stopping support of the operating system, and as of April 9th, they will no longer be providing security updates to the graying OS. This leaves many people in a lurch. Some users of XP cannot upgrade because their current computer cannot run a more modern OS and they cannot afford to upgrade their hardware. Other users, especially on college campuses, have laboratory and specialized equipment that was build on a Windows XP platform and the vendor either cannot upgrade it or went out of business years ago.

Of course, there are also those who just don't want to change their OS. Their computer runs "just fine", and why fix what isn't broken? Warnings about security problems fall on deaf ears, and resistance grows with every attempt to sway them away from their Windows XP.

I Won't Be Abandoning Windows XP

I've had this here laptop since twenty-oh-one.
The two of us have had all sorts of great fun.
The best part about it was all it could be
Because I upgraded from Me to XP!

XP was the better OS, sir, by far.
'Twas faster and stabler and shined like a star.
It ran all my programs, a crash was quite rare.
It made my computing come without a care.

Oh, sure it had updates to fix this and that.
Three service packs later, quite stable it sat.
Occasional viruses might have caused harm,
But after a cleaning I'd feel snug and warm.

And now you all tell me that this is all done.
You tell me that XP's a race that is run.
I just won't believe it, I won't let it go.
Hell no, I won't upgrade, I just love it so!

Sure MS won't update my box any more.
They've thrown in the towel, they've shut up the door.
They've moved on to 7 and gross Windows 8.
But I just refuse to accept that whole fate.

So keep all your warnings, they won't be observed.
To me it all sounds like a notion absurd.
My XP keeps running, my XP loves me!
No, I won't be abandoning Windows XP!

Monday, February 17, 2014

Over this past weekend, Kickstarter.com emailed their userbase to inform them that there was a data breach that allowed the usernames, email addresses, other personal information, and encrypted passwords of the users to get out. Bad guys could use these data to attack and take control of other accounts owned by the users, especially if they crack the passwords and those passwords are used on other sites.

Always use unique passwords on each site you visit. Don't make it any easier on the bad guys.

My Twin

Did you know I have a twin?
Do you know where it's been?
Lingering in sites around
The Internet, where sites abound.
When my dear user must create
An account with which to participate,
He always uses my little twin,
And doing that's a little sin.

Now that my dear twin's alive,
It goes along for the ride,
Whether sitting encryptedly
Or left alone for all to see.
And if a bad guy comes along
And hacks the site; oh, it's so wrong!
My twin, it now be known to her!
My twin, it now creates a stir!

My twin will let the hacker know
Other places she can go:
Into my user's email box;
The places seen in Firefox;
Or allow the bad Anonymous
To find some dox and start a fuss;
Or steal my user's bank account:
My twin would show the full amount.

The lesson here for you to learn
Is every password made does yearn
To be unique and used just once.
Don't let yourself be seen a dunce.
Passwords distinct for every site
Will help you sleep throughout the night.

About Me

I write. I play games. I drink coffee. I do information security to pay the bills. Most of those bills are coffee and game-related.

Professionally, I've been in the information security field since 1999 with a focus on government and higher education. I have held a CISSP certification since 2000. Recently, my work has focused on compliance efforts, privacy topics, assessments, and consulting. I have presented on various topics at numerous conferences, sat on the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) Technical Advisory Group, and was a member of the Computer Security Incidents - Internet2 (CSI2) Working Group. I drink a lot of coffee and write on occasion. These are sometimes done together, which makes strange magic happen.

I hear the coffee dripping down,From steam to grinds to pot it sounds.No better gift in nature found.This music makes the heart resound.